On May 13th, the New York Privacy Act (“NYPA”) was introduced in the state’s Senate; if passed this comprehensive consumer privacy law would be similar to the California Consumer Privacy Act (“CCPA”) and Virginia’s Consumer Data Protection Act (“VCDPA”), and includes some elements that aligns it with Europe’s General Data Protection Regulation (“GDPR”). A version of NYPA was previously introduced in 2019, and the 2021 version contains a few changes that are reflective of the evolving data privacy landscape.
If passed, the NYPA would apply to organizations conducting business or targeting consumers in New York, and that satisfy at least one of the following thresholds (it’s important to note that only one of the below criteria needs to be exceeded for application):
The NYPA provides consumers a broad set of rights over their personal data, including the rights to:
Under the NYPA, data controllers must provide written notice to consumers when processing their personal data in an “easy-to-understand language at an eighth-grade reading level or below.” This notice must include a description of the consumers’ rights, the categories of personal data processed, the sources of that data, the purposes for which the data is processed, and the identities of all outside parties to whom the data is disclosed, as well as information about how those parties will use the data and how long they will retain it. The notice must be dated with its effective date and updated at least annually. The notice (as well as each version of the notice dating back six years) must be made readily available to consumers.
The NYPA prohibits discrimination against a consumer who exercises their rights under the law. For example, a business may not target the consumer by denying goods or services or charging a higher price.
The NYPA requires data brokers to register, pay an annual fee to the Attorney General, and submit information regarding their data use practices and contact information. The Attorney General must maintain a data broker registry on its website. Additionally, controllers must annually submit a list of all known data brokers or persons reasonably believed to be data brokers with whom the controller provided personal data in the preceding year and can only share personal data with data brokers that are properly registered.
Data controllers are required to conduct and document annual risk assessments of all current processing of personal data. They must also develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal data of consumers including adopting reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data at issue.
Yes, in fact the NYPA imposes more stringent rules than the CCPA and VCDPA in some important aspects, including by requiring data controllers to:
Under the NYPA, the New York Attorney General may bring an action to enforce violations of the law, with civil penalties of not more than $15,000 per violation (each instance of unlawful processing counts as a separate violation). Additionally, the NYPA would grant consumers a private right of action to seek the greater of actual damages or liquidated damages in the amount of $1,000, along with attorney’s fees. Importantly, an organization found to have violated the NYPA does not have the opportunity to cure the violation before facing enforcement actions or litigation.
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.